Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Penetration Testing: Re: Penetration Testing Scheduling

Re: Penetration Testing Scheduling

From: Pete Herzog <lists_at_isecom.org>
Date: Thu, 01 May 2008 20:21:47 +0200

Hi,

I just uploaded a little slide with graphic about test types from OSSTMM 3:
http://www.isecom.org/Test_types.ISECOM.pdf

A thorough test is one where the auditor knows what is being tested and the
target knows nothing of the test. This allows the auditor to test the
target as completely as possible including the reactions of the staff. The
worst kind of test is the kind where the auditor knows nothing about the
target and the target is aware of the test because this will only test the
skill of the auditor and the ability of the target to move itself out of
"harm's way".

What kind of test depends on what it is used for. If it is for the client's
education of applied protection then do it however they want it to be done
while explaining to them the value of a thorough audit. If it is for 3rd
party certification then you are obligated to do the best and most thorough
audit the 3rd party needs. Ultimately, the client pays the bill and a good
capitalist will do what fills the coffers. A good auditor however will do
good audits.

-pete.

Yousif_at_Vapt-Sec.com wrote:
> I appreciate everyones commentary on what I've questioned, but I don't think anyones providing a definite answer. If it's up the client, then that's done with, it's clearly going to be what they want, not a problem. What if they don't take you up on that and you are the decision maker. I'm getting worthless comments from people telling me that I should always have permission before security testing, but keep in mind that everyone knows that, commentary like that is just useless. Now, to focus on the question, let's say both parties agree to fulfill the security testing, and the contracts have been signed, and the setup in general has been completed. To go on with your testing, do you let them know exactly a date/time O R do you simply let them know it's a week from now.. I'm clarifying this because it seems like a lot of people are giving options, and that's always good to have a choice, but I'm looking more for the "right" thing to do..
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Received on May 01 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]